Hotmail Hackers: 'We Did It'

Share

Hotmail Hackers: 'We Did It'

A previously unknown group known as Hackers Unite has claimed responsibility for publicizing Hotmail's security breach, which Microsoft vehemently denied was the result of a backdoor oversight.

The group of eight hackers said Monday through a spokesman that they announced the hole to the Swedish media to draw attention to what they say is Microsoft's spotty security reputation.

The stunt exposed every Hotmail email account, estimated to number as many as 50 million, to anyone with access to a Web browser.

"We did not do this hack to destroy, we want to show the world how bad the security on Microsoft really is, and that company nearly have monopoly on [all] the computer software," a 21-year-old Swedish member of the group said Monday.

Göteborg resident Lasse Ljung, who goes by the nickname of DarkWing on Internet relay chat, said he was speaking on behalf of Hackers Unite. IRC is a real-time chat network commonly used by hackers and crackers to communicate and plan their activities.

Ljung said that Hackers Unite is composed of one Swedish citizen and seven Americans. The group declined to communicate directly with Wired News, which could not positively confirm their identities.

The handful of lines of simple HTML code that constitute the exploit took advantage of a Hotmail login script called "start" that is not currently used on the Hotmail welcome page, and the password "eh."

After examining that code early Monday, outside security experts suggested that the problem might have been a backdoor inadvertently left open on Hotmail servers by Microsoft engineers.

Microsoft vehemently denied the backdoor suggestions, and instead described the problem as "an unknown security issue."

"There is nothing to these allegations [of a backdoor in Hotmail]," said MSN marketing director Rob Bennett. "It is not true. Microsoft values the security and privacy of our users above all."

However, Jon Thompson, administrator of one of the sites that hosted the Hotmail exploit, told MSNBC.com that his associates had known about the vulnerability – and had access to Hotmail accounts – for about eight weeks.

Thompson told MSNBC.com, an MSNBC partner, the culprit was MSN's new Passport service, which allows users to log in once and click between MSN Web sites. He said Hotmail had been vulnerable since MSN launched Passport in beta form.

Deanna Sanford, lead project manager for MSN, told MSNBC.com the flaw was not related to Passport but added she did not know how long the vulnerability had existed.

Bennett said the company began scrambling to fix the problem at 2 a.m. PDT and had the initial fix up at 10 a.m. A subsequent variant of the problem was fixed around noon.

The second problem was a result of the company "getting the fix propagated to all the Hotmail servers," he said.

"We are manually going from machine to machine to make sure all the fixes are there."

Bennett said the start script in question is used in some other areas of the site other than logging in users. He said they had plugged the problem with the script.

What is known, however, is that the Hotmail problem is likely the most widespread security incident in the history of the Web. The private email accounts of some 50 million people were open to browsing by anyone.

The incident did not faze Wall Street. In late afternoon trading, Microsoft stock was at US$92.25, down one point.